b'Audit Report\n\n\n\n\nOIG-10-035\nManagement Letter for Fiscal Year 2009 Audit of the\nDepartment of the Treasury\xe2\x80\x99s Financial Statements\n\n\nFebruary 4, 2010\n\n\n\n\nOffice of\nInspector General\nDEPARTMENT OF THE TREASURY\nThis report has been reviewed for public dissemination by the Office of Counsel\nto the Inspector General. Information requiring protection from public\ndissemination has been redacted from this report in accordance with the\nFreedom of Information Act, 5 U.S.C. Section 552.\n\x0cInformation within the FISCAL YEAR 2009 COMMENTS has been\nREDACTED under FOIA Exemption 2, 5 U.S.C. \xc2\xa7552(b)(2):\n\nFISCAL YEAR 2009 COMMENTS:\n 09-07: Encryption (see pages 9 and 10)\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                           W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                              February 4, 2010\n\n\n            MEMORANDUM FOR DANIEL TANGHERLINI\n                           ASSISTANT SECRETARY FOR MANAGEMENT\n                           AND CHIEF FINANCIAL OFFICER\n\n            FROM:                  Michael Fitzgerald\n                                   Director, Financial Audits\n\n            SUBJECT:              Management Letter for Fiscal Year 2009 Audit of the\n                                  Department of the Treasury\xe2\x80\x99s Financial Statements\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the Department of the Treasury\xe2\x80\x99s (Department) Fiscal Year 2009 financial\n            statements. Under a contract monitored by the Office of Inspector General, KPMG\n            LLP (KPMG), an independent certified public accounting firm, performed an audit of\n            the financial statements of the Department as of September 30, 2009 and for the\n            year then ended. The contract required that the audit be performed in accordance\n            with generally accepted government auditing standards; applicable provisions of\n            Office of Management and Budget Bulletin No. 07-04, Audit Requirements for\n            Federal Financial Statements, as amended; and the GAO/PCIE Financial Audit\n            Manual.\n\n            As part of its audit, KPMG issued, and is responsible for, the accompanying\n            management letter that discusses other matters involving internal control over\n            financial reporting and other operational matters that were identified during the\n            audit, but were not required to be included in the audit report.\n\n            In connection with the contract, we reviewed KPMG\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no\n            instances where KPMG did not comply, in all material respects, with generally\n            accepted government auditing standards.\n\n            Should you have any questions, please contact me at (202) 927-5789, or a\n            member of your staff may contact Ade Bankole, Manager, Financial Audits at\n            (202) 927-5329.\n\n            Attachment\n\x0cU.S. DEPARTMENT OF THE TREASURY\n         FISCAL YEAR 2009\n         Management Letter\n\n         December 15, 2009\n\x0c                           U.S. DEPARTMENT OF THE TREASURY\n                                      Fiscal Year 2009\n                                   Management Letter Report\n\n\n\n                                        Table of Contents\n\n                                                                                Page\n\nTransmittal Letter                                                                 1\n\n       09-01: Financial Reporting Standards for Treasury\xe2\x80\x99s Component Entities\n              (Repeat Comment)                                                     3\n       09-02: Opening Balances                                                     4\n       09-03: Intragovernmental Transactions and Activities                        5\n       09-04: Reconciliation of the Statement of Budgetary Resources to the\n              SF-133, Report on Budget Execution and Budgetary Resources           6\n       09-05: Audit Logs                                                           7\n       09-06: Baseline Configurations                                              8\n       09-07: Encryption                                                           9\n\n\nExhibit 1 \xe2\x80\x93 Status of Prior Year Management Letter Comments                       11\n\x0c                              KPMG LLP\n                              2001 M Street, NW\n                              Washington, DC 20036\n\n\nDecember 15, 2009\n\nInspector General\nU.S. Department of the Treasury\nWashington, D.C.\n\nWe have audited the consolidated financial statements of the U.S. Department of the Treasury\n(Treasury Department) as of and for the year ended September 30, 2009, and have issued our report\nthereon dated December 15, 2009. Our report indicated that we did not audit the amounts included\nin the consolidated financial statements related to the Internal Revenue Service (IRS) or the Office\nof Financial Stability (OFS), both component entities of the Treasury Department. The financial\nstatements of the IRS and the OFS were audited by another auditor whose reports were provided to\nus.\n\nIn planning and performing our audit of the consolidated financial statements of the Treasury\nDepartment in accordance with auditing standards generally accepted in the United States of\nAmerica, we considered the Treasury Department\xe2\x80\x99s internal control over financial reporting\n(internal control) as a basis for designing our auditing procedures for the purpose of expressing our\nopinion on the financial statements, but not for the purpose of expressing an opinion on the\neffectiveness of the Treasury Department\xe2\x80\x99s internal control. Accordingly, we do not express an\nopinion on the effectiveness of the Treasury Department\xe2\x80\x99s internal control.\nDuring our fiscal year (FY) 2009 audit of the Treasury Department\xe2\x80\x99s consolidated financial\nstatements, we, and the other auditor, noted certain matters involving internal control and other\noperational matters that we considered significant deficiencies under standards established by the\nAmerican Institute of Certified Public Accountants (AICPA). A deficiency in internal control exists\nwhen the design or operation of a control does not allow management or employees, in the normal\ncourse of performing their assigned functions, to prevent, or detect and correct misstatements on a\ntimely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal\ncontrol that is less severe than a material weakness, yet important enough to merit attention by\nthose charged with governance. A material weakness is a deficiency, or combination of\ndeficiencies, in internal control, such that there is a reasonable possibility that a material\nmisstatement of the Treasury Department\xe2\x80\x99s financial statements will not be prevented or detected\nand corrected on a timely basis.\nOur consideration of internal control was for the limited purpose described above and would not\nnecessarily identify all deficiencies in internal control that might be significant deficiencies or\nmaterial weaknesses. In our Independent Auditors\xe2\x80\x99 Report dated December 15, 2009, we reported\nthe following significant deficiencies in the following areas involving internal control over\nfinancial reporting:\n    \xe2\x80\xa2   Financial Management Practices at the Departmental Level (Repeat Condition)\n    \xe2\x80\xa2   Financial Systems and Reporting at the IRS (Repeat Condition)\n    \xe2\x80\xa2   Financial Accounting and Reporting at the OFS\n    \xe2\x80\xa2   Information System Controls at the Financial Management Service (FMS).\n\n\n\n\n                                KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                member firm of KPMG International, a Swiss cooperative.\n\x0cWe consider the significant deficiencies related to Financial Systems and Reporting at the IRS and\nFinancial Management Practices at the Departmental Level, noted above, to be material\nweaknesses. Detailed findings and recommendations to address the above significant deficiencies\nare not repeated within this document.\n\nAlthough not considered significant deficiencies, we noted certain matters involving internal\ncontrol and other operational matters that are presented in the attachment for your consideration.\nThese comments and recommendations, all of which have been discussed with the appropriate\nmembers of the Treasury Department\xe2\x80\x99s management, are intended to improve internal control or\nresult in other operating efficiencies. The matters presented in this letter do not include internal\ncontrol or operational matters that have been presented to the management of the Treasury\nDepartment\xe2\x80\x99s offices or operating bureaus that were audited separately by other auditors.\n\nExhibit 1 provides the status of the five comments included in our management letter arising from\nour FY 2008 audit. We have not considered the Treasury Department\xe2\x80\x99s internal control since the\ndate of our report.\n\nWe appreciate the courteous and professional assistance that the Treasury Department personnel\nextended to us during our audit. We would be pleased to discuss these comments and\nrecommendations with you at any time.\n\nThe Treasury Department\xe2\x80\x99s written response to our comments and recommendations has not been\nsubjected to the auditing procedures applied in the audit of the consolidated financial statements,\nand accordingly, we express no opinion on it.\n\nThis communication is intended solely for the information and use of the management of the\nTreasury Department, the Treasury Department\xe2\x80\x99s Office of Inspector General, the Office of\nManagement and Budget (OMB), the Government Accountability Office (GAO), and Congress and\nis not intended to be, and should not be, used by anyone other than these specified parties.\n\n\nVery truly yours,\n\n\n\n\n                                                 2\n\x0c                              FISCAL YEAR 2009 COMMENTS\n\n09-01: Financial Reporting Standards for Treasury\xe2\x80\x99s Component Entities (Repeat Comment)\nThe Treasury Department\xe2\x80\x99s consolidated financial statements are prepared in conformity with\naccounting principles prescribed by the Federal Accounting Standards Advisory Board (FASAB),\nthe accounting standards-setting body for the Federal Government, as recognized by the AICPA in\nOctober 1999. However, certain Treasury Department component entities prepare their financial\nstatements in accordance with accounting standards prescribed by the Financial Accounting\nStandards Board (FASB), the private sector standards-setting body, since the FASAB has allowed\nentities that issued financial statements prior to October 1999 using FASB accounting to continue\nto do so. These component entities include the Bureau of Engraving and Printing, the Office of\nThrift Supervision, the Exchange Stabilization Fund, the Federal Financing Bank, and the\nCommunity Development Financial Institutions Fund.\nThe use of a combination of generally accepted accounting principles (GAAP) by the Treasury\nDepartment and its component entities complicates the preparation of the Treasury Department\xe2\x80\x99s\nconsolidated financial statements since additional information required for Federal GAAP\nreporting must be developed, mapped, and submitted to the Treasury Department\xe2\x80\x99s data warehouse\nby component entities, and reviewed for compliance with Federal GAAP and overall\nreasonableness by the Treasury Department\xe2\x80\x99s accounting management. In addition, the separately\nissued financial statements of the component entities using FASB accounting principles do not\nadequately portray the importance of the budgetary process as it relates to Federal entities.\nConsequently, the concept of \xe2\x80\x9cpresents fairly\xe2\x80\x9d for those entities does not adequately convey the\nsignificant budgetary disclosures required by Federal GAAP.\nPrivate sector GAAP does not contemplate budgetary reporting, and therefore, components using\nthis basis of accounting do not prepare the Statement of Budgetary Resources (SBR), although this\nstatement is an integral part of the Treasury Department\xe2\x80\x99s consolidated financial statements, and\nmust be prepared regardless of whether or not the component receives appropriations from the U.S.\nGovernment. Moreover, information reported in the Treasury Department\xe2\x80\x99s SBR must be\nreconciled to enacted amounts in the President\xe2\x80\x99s budget and disclosed in the notes to the Treasury\nDepartment\xe2\x80\x99s consolidated financial statements. Considerable additional preparation is required to\ndevelop and report this data at the Department level for components using private sector GAAP.\nAdditionally, private sector GAAP does not provide sufficient information regarding the costs of\nprograms and activities. The Statement of Net Cost required by Federal GAAP requires that costs\nand offsetting earned revenues be presented by responsibility segments, with net costs identified\nfor each of the segments, in order to provide more meaningful information to evaluate the\noperating results of major activities.\nFurther, inconsistencies exist in how certain costs are reported by entities using private sector\nGAAP. For example, Federal GAAP requires that nonreimbursed costs paid by the Office of\nPersonnel Management for retirement plans be recognized by the receiving entity as an imputed\ncost in order to report the full cost of operations. Since private sector GAAP does not provide\n\n\n\n\n                                                3\n\x0cguidance for the reporting of such imputed costs, these costs are being reported inconsistently, or\nnot at all, by the Treasury Department\xe2\x80\x99s component entities.\nThis matter has been reported since FY 2004 and has not been resolved. The continued use of\nprivate sector GAAP by certain Treasury Department component entities decreases the usefulness\nof information reported by these entities for users of Federal financial statements and complicates\nthe preparation of the Treasury Department\xe2\x80\x99s consolidated financial statements.\n\n09-01 Recommendation\nWe recommend that the Treasury Department\xe2\x80\x99s Chief Financial Officer (CFO), with input from the\nDirector, Office of Accounting and Internal Control (AIC), work with those Treasury Department\nbureaus following FASB reporting standards to achieve conformance so that all reporting entities\nwithin the Treasury Department prepare their financial statements in accordance with Federal\nGAAP in order to strengthen and standardize financial accounting and reporting throughout the\nTreasury Department. If a bureau is statutorily required to report on a different basis of accounting,\nthen a separate set of financial statements should be prepared by these entities to meet such\nrequirements.\n\nManagement Response\nWe will continue to work with those Treasury components that prepare their stand-alone financial\nstatements on a commercial GAAP basis in order to work towards their migration to Federal\nGAAP reporting in their stand-alone statements, especially as components have the need to replace\ntheir legacy financial systems. At the same time, we will continue to monitor FASAB\xe2\x80\x99s ongoing\nwork on this topic. At the present time, FASAB standards allow component entities who have\nhistorically reported on a commercial GAAP basis to continue reporting in the same manner.\nHowever, we recognize that this situation causes several financial reporting issues at the\nDepartmental level.\n09-02: Opening Balances\nCertain opening balance differences were identified during our review of the documentation\nprovided in support of opening balances.      AIC did not adequately prepare supporting\ndocumentation and review the FY 2009 opening balances.\nOMB Circular No. A-123, Management\xe2\x80\x99s Responsibility for Internal Control, (OMB Circular No.\nA-123) states that monitoring the effectiveness of internal control should occur in the normal\ncourse of business. In addition, periodic reviews, reconciliations, or comparisons of data should be\nincluded as part of the regular assigned duties of personnel. Periodic assessments should be\nintegrated as part of management\xe2\x80\x99s continuous monitoring of internal control, which should be\ningrained in the agency\xe2\x80\x99s operations. If an effective continuous monitoring program is in place, it\ncan level the resources needed to maintain effective internal controls throughout the year.\nIn implementing the GAO Standards for Internal Control in the Federal Government, management\nis responsible for developing the detailed policies, procedures, and practices to fit in a\nDepartment\xe2\x80\x99s operations and to ensure that they are built into an integral part of its operations.\n\n\n\n\n                                                  4\n\x0cInternal controls should be clearly documented in management directives, administrative policies,\nor operating manuals and should be properly managed and maintained.\n09-02 Recommendation\nWe recommend that the CFO, with input from the Director of AIC, review existing preparation and\nreview procedures over the opening balances analyis that is conducted annually, assess the\nimprovements needed, and develop procedures to address the needed improvements.\nManagement Response\nWe concur with the recommendation and will perform a review of our policies and procedures over\nopening balances, including supervisory review, and make improvements for identified\nweaknesses.\n09-03: Intragovernmental Transactions and Activities\nAIC did not fully develop and validate a comprehensive process to include effective internal\ncontrols over the intragovernmental reporting process to ensure compliance with the Treasury\nFederal Intragovernmental Transactions Accounting Policies Guide\xe2\x80\x99s (TFITAPG) reporting\nrequirements in FY 2009.\nWe identified material variances in several line items in the Trading Partner balances between what\nwas submitted by AIC for third quarter FY 2009 into the FMS Intragovernmental Reporting and\nAnalysis System (IRAS) and the related intragovernmental partner and account balances in\nTreasury Department\xe2\x80\x99s general ledger. Specifically, we determined that not all intragovernmental\nbalances were submitted by AIC into IRAS as required by TFITAPG. These errors could have been\navoided had there been appropriate supervisory reviews of the data before submission.\nThe Treasury Department\xe2\x80\x99s FMS provides detailed guidance on accounting and reconciling\nintragovernmental balances in the TFITAPG. TFITAPG Section 4706.30b states, \xe2\x80\x9cIn support of the\nquarterly reconciliation process, verifying agencies must submit full proprietary adjusted trial\nbalances or submit, at a minimum, a trial balance that contains all their accounts with an \xe2\x80\x98F\xe2\x80\x99\nattribute and the following other US Standard General Ledger (USSGL) accounts: 1010 (Fund\nBalance With Treasury), 3101 (Unexpended Appropriations \xe2\x80\x93 Appropriations Received), and 3106\n(Unexpended Appropriations \xe2\x80\x93 Adjustments) to FMS no later than July 23, 2009, for third quarter\nfiscal 2009, and October 18, 2009, for fourth quarter fiscal 2009.\xe2\x80\x9d\nOMB Circular No. A-123 states that monitoring the effectiveness of internal control should occur\nin the normal course of business. In addition, periodic reviews and reconciliations, or comparisons\nof data, should be included as part of the regular assigned duties of personnel. Periodic assessments\nshould be integrated as part of management\xe2\x80\x99s continuous monitoring of internal control, which\nshould be ingrained in the agency\xe2\x80\x99s operations. If an effective continuous monitoring program is in\nplace, it can level the resources needed to maintain effective internal controls throughout the year.\nIn implementing the GAO Standards for Internal Control in the Federal Government, management\nis responsible for developing the detailed policies, procedures, and practices to fit in a\nDepartment\xe2\x80\x99s operations and to ensure that they are built into an integral part of its operations.\n\n\n\n\n                                                 5\n\x0cInternal controls should be clearly documented in management directives, administrative policies,\nor operating manuals and should be properly managed and maintained.\n\n09-03 Recommendations\nWe recommend that the CFO, with input from the Director of AIC:\n1. Develop policies and procedures to account and appropriately report the Treasury\n   Department\xe2\x80\x99s intragovernmental transactions as required by FMS in compliance with\n   TFITAPG.\n2. Mandate supervisory reviews of intragovernmental accounting transactions and related\n   underlying data to assess accuracy and reasonabless prior to reporting to FMS.\n\nManagement Response\nWe agree with the recommendation. We will incorporate the review of intragovernmental\ntransactions and balances into our overall review/updating of policies and procedures to ensure that\nintragovernmental balances and transactions are properly identified and reviewed for accuracy and\ncompleteness prior to reporting to FMS.\n09-04: Reconciliation of the SBR to the SF-133, Report on Budget Execution and Budgetary\n       Resources\nThe FY 2009 third quarter reconciliation of the SF 133, Report on Budget Execution and\nBudgetary Resources (SF 133), to the unaudited third quarter SBR reconciliation for comparable\nline items was not completed until September 2009.\nThe Treasury Department does not have policies in existence to require the timely completion of\nthese budgetary reconciliations, which could cause material differences requiring correction\nbetween the SF 133 and the SBR. As a result, amounts reported on the SBR may be misstated. In\naddition, the Treasury Department is not in compliance with reconciliation and reporting\nrequirements prescribed by OMB Circular No. A-136, Financial Reporting Requirements (OMB\nCircular No. A-136).\nOMB Circular No. A-136, Section II.4.6.1, states, \xe2\x80\x9cInformation on the SBR should be reconcilable\nto the budget execution information reported on the SF 133 Report on Budget Execution and\nBudgetary Resources and with information reported in the Budget of the United States Government\nto ensure the integrity of the numbers presented\xe2\x80\xa6Consistency between budgetary information\npresented in the financial statements and the Budget of the United States Government is critical to\nensure the integrity of the numbers presented. The FACTS II helps to ensure the consistency of\ndata. The FACTS II data submitted by agencies are USSGL-based trial balances, which are used to\npopulate the SF 133 and the actual column of the Program and Financing Schedule of the Budget.\xe2\x80\x9d\nOMB Circular No. A-136, Sections II.4.6.5, 6, and 8 state, \xe2\x80\x9cThe resources reported on this\nstatement shall agree with, and be reconciled to, the total budgetary resources reported for the\naggregate of all budget accounts on the SF 133... The status of budgetary resources reported on this\nstatement shall agree with, and be reconciled to, the total status reported for the aggregate of all\nbudget accounts on the SF 133...The outlays shall also agree with, and be reconciled to, the\n\n\n\n\n                                                 6\n\x0caggregate of outlays reported on the SF 133 for the aggregate of all budget accounts, including\nnonbudgetary financing accounts and the disbursements and collections reported to the Treasury\nDepartment on a monthly basis (SF 224, Statement of Transactions; SF 1219, Statement of\nAccountability; and SF 1220 Statement of Transactions) per Circular No. A-11.\xe2\x80\x9d\nOMB Circular No. A-136, Section IV.3, indicates that \xe2\x80\x9cAgencies are required to submit an analysis\nof material differences between the current quarter\xe2\x80\x99s unaudited SBR and the current quarter\xe2\x80\x99s\ndepartment-wide SF 133, Report on Budget Execution and Budgetary Resources. Agencies should\nreconcile the two reports; however, agencies are only required to provide to OMB an explanation\nfor the material differences between the SBR and SF 133 for comparable line items related to\nbudgetary resources, obligations, and outlays.\xe2\x80\x9d\n09-04 Recommendation\nWe recommend that the CFO, with input from the Director of AIC, strengthen current policies and\nprocedures related to its quarterly SF 133 to SBR reconciliations to require timely quarterly\nreconciliations to be prepared and documented, including completion of supervisory review, so that\nexplanations for any material differences between the SBR and SF 133 for comparable line items\nare provided to OMB timely.\n\nManagement Response\nWe agree with the recommendation. The current Standard Operating Procedures (SOP) for\nReconciliation of Budget Execution Data will be reviewed and updated as necessary to incorporate\nany additional documentation requirements, to clarify timelines, and to include provision for a\nrobust review by Treasury officials to support the SF-133/SBR Reconciliation. Quarterly\nreconciliations of the FACTS II data and SBR are completed and are identified both in the Office\nof Performance Budgeting (OPB) execution timeline and in the SOP, as are periodic reconciliations\nof the SF-133 data and the SBR. OPB Management has filled the Budget Execution Team Lead\nposition, which will provide for regular supervisory review of reconciliations and other budget\nexecution reports and increased emphasis on timeliness and accuracy. In addition, an automated\ntool to populate the data from the SBR and SF-133 into the reconciliation worksheet was developed\nto assist in the reconciliation. This tool should improve the timeliness of the reconciliation.\n\n09-05: Audit Logs\nCurrently, a database administrator (DBA) of the system is performing the review of the audit logs\nfor the Oracle database that supports the Treasury Department\xe2\x80\x99s Information Executive Repository\n(TIER), which creates an issue with segregation of duties, and in addition, there is no evidence of\nreview of the Oracle audit logs. The Treasury Department also has not documented who should\nreview the audit logs to ensure there is not a conflict of interest or require evidence to support the\nreview of the audit logs.\nThe lack of monitoring by a designated individual who is independent of the operation of TIER\nmakes it difficult for the DBA and System Owner to protect TIER against security and\ninfrastructure vulnerabilities and hold individual users accountable for system activities. When\naudit logs are not reviewed independently, and are not supported with evidence of a review by the\n\n\n\n\n                                                  7\n\x0cdesignated individual, suspicious activities may go undetected, leading to the compromise of TIER\ndata. In addition, unauthorized disclosure or changes to TIER may go undetected, compromising\nthe confidentiality and integrity of the data.\nNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-12, An\nIntroduction to Computer Security, Section 9.4.2.1, Review of System Logs, states that \xe2\x80\x9ca periodic\nreview of system-generated logs can detect security problems, including attempts to exceed access\nauthority.\xe2\x80\x9d Section 18.3.2, Review of Audit Logs, states, \xe2\x80\x9cApplication owners, data owners, system\nadministrators, data processing function managers, and computer security managers should\ndetermine how much review of audit trail records is necessary, based on the importance of\nidentifying unauthorized activities. This determination should have a direct correlation to the\nfrequency of periodic reviews of audit trail data.\xe2\x80\x9d\nNIST SP 800-53, Recommended Security Controls for Federal Information Systems (NIST SP 800-\n53), Control AU-6, Audit Monitoring, Analysis, and Reporting, states, \xe2\x80\x9cThe organization regularly\nreviews/analyzes information system audit records for indications of inappropriate or unusual\nactivity, investigates suspicious activity or suspected violations, reports findings to appropriate\nofficials, and takes necessary actions.\xe2\x80\x9d\nNIST SP 800-53, Control AU-11, Audit Record Retention, states, \xe2\x80\x9cThe organization retains audit\nrecords [Assignment: organization-defined time period] to provide support for after-the-fact\ninvestigations of security incidents and to meet regulatory and organizational information retention\nrequirements.\xe2\x80\x9d\n\n09-05 Recommendations\n\nWe recommend that the Chief Information Officer (CIO), with input from the Office of the Deputy\nChief Financial Officer (DCFO):\n\n1. Assign an individual other than the DBA to perform a review of the audit logs, or implement\n   mitigating controls if the DBA has to perform the review such as System Owner or\n   Management reviews.\n2. Maintain evidence of the audit log reviews for the Oracle database.\n\nManagement Response\nWe agree with the recommendations to enhance audit log reviews. The Department believes that\nreviewing the audit logs is an integral part of the DBA\xe2\x80\x99s role. Therefore, the DBA will continue to\nmonitor the logs to identify any unusual or suspicious activities. In addition, a second party will\nreview the audit logs on a periodic basis to provide an independent review. DCFO and CIO\nOffices will develop a corrective action plan that will implement segregation of duties in the review\nof audit logs and provide evidence that logs have been appropriately reviewed.\n\n09-06: Baseline Configurations\nThe Treasury Department does not currently have the baseline configurations documented for the\nproduction servers that support TIER and CFO Vision in the system security plan. The Treasury\n\n\n\n\n                                                 8\n\x0cDepartment\xe2\x80\x99s management was not aware that they needed to document their standard baseline\nconfiguration for the production servers of TIER and CFO Vision.\nWithout properly implemented baseline configurations, systems may not be updated properly with\nneeded patches and upgrades. Insecure system configurations may expose security weaknesses,\nprovide enticement information to a malicious user, provide access to remote users, and allow users\nto replace, retrieve, or modify sensitive data.\nThe Treasury Department\xe2\x80\x99s Information Technology Security Program, Treasury Directive\nPublication 85-01, Section 3.5, Security Configuration and Vulnerability Management Policy,\nstates, \xe2\x80\x9cBureaus shall develop and implement Configuration, Vulnerability, and Patch Management\nplans for all of their IT systems and networks.\xe2\x80\x9d\nNIST SP 800-53, Control CM-2, states, \xe2\x80\x9cThe organization develops, documents, and maintains a\ncurrent baseline configuration of the information system.\xe2\x80\x9d\nNIST SP 800-53, Control CM-6, states, \xe2\x80\x9cThe organization: (i) establishes mandatory configuration\nsettings for information technology products employed within the information system;\n(ii) configures the security settings of information technology products to the most restrictive mode\nconsistent with operational requirements; (iii) documents the configuration settings; and\n(iv) enforces the configuration settings in all components of the information system.\xe2\x80\x9d\n\n09-06: Recommendations\nWe recommend that the CIO, with input from the DCFO:\n    (1) Formally document the baseline configuration for the production servers of TIER and CFO\n        Vision.\n    (2) Assess compliance with the baseline configuration on an annual basis, at a minimum.\n\nManagement Response\nWe agree with the recommendation. The CIO\xe2\x80\x99s Office has developed a baseline configuration for\nthe FARS server environment and will update the System Security Plan during the upcoming 2010\ndocument update. On at least an annual basis, Treasury will conduct a system test to assess the\nbaseline configuration and document any variances to the baseline.\n09-07: Encryption\nUser sessions                                     are not encrypted using Secure Sockets Layer\n(SSL). The Treasury Department\xe2\x80\x99s management did not completely enforce the security\nrequirements that require the use of SSL when accessing                     , and the Treasury\nDepartment did not have an effective monitoring process established to ensure compliance with\ntheir minimum security controls. Without the use of SSL, users\xe2\x80\x99 logon credentials could be\ncompromised. If a user\xe2\x80\x99s logon credentials were compromised, unauthorized access\n            could occur.\nFARS System Security Plan, Control SC-13, Use of Cryptography, states that the SSL should be\nused for the               applications.\n\n\n\n\n                                                 9\n\x0cNIST SP 800-46, Security for Telecommuting and Broadband Communications, Section 5.7, states,\n\xe2\x80\x9cEncryption is important for both data transmission and data storage. Encryption is critical for\ntransmission whenever sensitive data is being transmitted over an insecure network such as the\nInternet. Encryption is important for storage whenever the data is subject to compromise.\xe2\x80\x9d\n09-07 Recommendation\nWe recommend that the CIO, with input from the Office of the DCFO, implement the use of SSL\nfor the               applications.\nManagement Response\nWe agree with the recommendation. The Department will implement Transport Layer Security\n(TSL) to provide data encryption for the             applications. It is anticipated that this\nimplementation will be completed during the second quarter of fiscal year 2010.\n\n\n\n\n                                              10\n\x0c                                                                                   EXHIBIT 1\n\n                        U.S. DEPARTMENT OF THE TREASURY\n                                       Fiscal Year 2009\n                                   Management Letter Report\n                      Status of Prior Year Management Letter Comments\n\n\n\nPrior Year Comments                                 Current Year Status\n\n08-01   President\xe2\x80\x99s Budget Reconciliation (Repeat   This comment has not been corrected and is\n        Comment)                                    included in the FY 2009 Audit Report on the\n                                                    Treasury Department\xe2\x80\x99s financial statements\n                                                    as a significant deficiency that formed part of\n                                                    the material weakness titled \xe2\x80\x9cFinancial\n                                                    Management Practices at the Departmental\n                                                    Level (Repeat Condition).\xe2\x80\x9d\n08-02   Financial Reporting Standards for           This comment has not been corrected and is\n        Treasury\xe2\x80\x99s Component Entities (Repeat       repeated in the current year as comment\n        Comment)                                    09-01.\n08-03   Mortgage-backed Securities (MBS)            This comment has been corrected.\n        Purchase Reconciliations\n08-04   Disaster Recovery Procedures (Repeat        This comment has been corrected.\n        Comment)\n08-05   Database-level User Access                  This comment has been corrected.\n\n\n\n\n                                            11\n\x0c'